)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":9542,"name":"Pavlo Shchelokovskyy","email":"pshchelokovskyy@mirantis.com","username":"pshchelo"},"change_message_id":"aef60c6752f36f569454a72affd8ef3771a7307e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"41c63d52_4bc44515","updated":"2023-02-15 11:42:30.000000000","message":"@Abhishek,","commit_id":"84625bedfb5b4aab053d69192c2dfbb42bdf9dd2"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"c503757b52249d8cafe4dc74e1835101778106db","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f1e1e0f9_96a9aee9","updated":"2023-05-03 21:15:25.000000000","message":"OK this makes sense, thanks!","commit_id":"84625bedfb5b4aab053d69192c2dfbb42bdf9dd2"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"6b4270f14da663a67f9486a61004fb9f55bbbcc6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"bdef49b0_f47cb7f6","updated":"2023-02-22 04:27:17.000000000","message":"Thank you, looks good to me!","commit_id":"84625bedfb5b4aab053d69192c2dfbb42bdf9dd2"}],"glance/policies/base.py":[{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"ece385ece9dad70680337631e70db27e5e982f7d","unresolved":true,"context_lines":[{"line_number":57,"context_line":"# typical in OpenStack services. But following check strings offer formal"},{"line_number":58,"context_line":"# support for project membership and a read-only variant consistent with"},{"line_number":59,"context_line":"# other OpenStack services."},{"line_number":60,"context_line":"ADMIN_OR_PROJECT_MEMBER \u003d f\u0027rule:context_is_admin or ({PROJECT_MEMBER})\u0027"},{"line_number":61,"context_line":"ADMIN_OR_PROJECT_READER \u003d f\u0027rule:context_is_admin or ({PROJECT_READER})\u0027"},{"line_number":62,"context_line":"ADMIN_OR_PROJECT_READER_GET_IMAGE \u003d ("},{"line_number":63,"context_line":"    f\u0027rule:context_is_admin or \u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"87127cdf_e2976386","line":60,"range":{"start_line":60,"start_character":28,"end_line":60,"end_character":48},"updated":"2023-02-15 05:58:57.000000000","message":"Instead of defining as rule:context_is_admin\n\nwhy not do this?\n\nADMIN \u003d \u0027role:admin\u0027\nADMIN_OR_PROJECT_MEMBER \u003d f\u0027({ADMIN}) or ({PROJECT_MEMBER})\u0027","commit_id":"84625bedfb5b4aab053d69192c2dfbb42bdf9dd2"},{"author":{"_account_id":9542,"name":"Pavlo Shchelokovskyy","email":"pshchelokovskyy@mirantis.com","username":"pshchelo"},"change_message_id":"aef60c6752f36f569454a72affd8ef3771a7307e","unresolved":true,"context_lines":[{"line_number":57,"context_line":"# typical in OpenStack services. But following check strings offer formal"},{"line_number":58,"context_line":"# support for project membership and a read-only variant consistent with"},{"line_number":59,"context_line":"# other OpenStack services."},{"line_number":60,"context_line":"ADMIN_OR_PROJECT_MEMBER \u003d f\u0027rule:context_is_admin or ({PROJECT_MEMBER})\u0027"},{"line_number":61,"context_line":"ADMIN_OR_PROJECT_READER \u003d f\u0027rule:context_is_admin or ({PROJECT_READER})\u0027"},{"line_number":62,"context_line":"ADMIN_OR_PROJECT_READER_GET_IMAGE \u003d ("},{"line_number":63,"context_line":"    f\u0027rule:context_is_admin or \u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"eb2b42f6_9d4ffd5a","line":60,"range":{"start_line":60,"start_character":28,"end_line":60,"end_character":48},"in_reply_to":"87127cdf_e2976386","updated":"2023-02-15 11:42:30.000000000","message":"because this does not make it easier to override things in the policies file.\n\nVery concrete example - I want to limit global admin to only be \u0027role admin in the admin project\u0027. How would I currently have to override that via policy files? By manually re-writing most of them.\n\nWhen we define the \u0027adminnness\u0027 as a \u0027rule\u0027 that can be actually defined in the policy file, I can re-define only a single rule instead:\n\n  context_is_admin: role:admin and is_admin_project:True\n  \n(given Keystone is configured to send the is_admin_project flag)\n\nWhat\u0027s more, the rule is already defined (L106), it is just used only for \u0027is_admin:True\u0027 calculation at the moment.","commit_id":"84625bedfb5b4aab053d69192c2dfbb42bdf9dd2"}]}